## The nordugridmap utility processes the arc.conf central config file. ## The --config command line option can be used to specify a ## different configuration file. ## The relevant section of the arc.conf is shown below. ## Nordugridmap reads the [vo] blocks and generates 'gridmap' files. ## [nordugridmap] block is used to fine-tune nordugridmap behavior ## and provide necessary system paths information [nordugridmap] # x509_user_key path - file containing certificate private key. # Default is '/etc/grid-security/hostkey.pem' # x509_user_cert path - file containing public certificate. # Default is '/etc/grid-security/hostcert.pem' # This information is needed to contact external sources over TLS. # https:// and vomss:// sources rely on this parameters. x509_user_key="/etc/grid-security/hostkey.pem" x509_user_cert="/etc/grid-security/hostcert.pem" # x509_cert_dir path - The directory containing the CA certificates. # This information is needed by the 'require_issuerdn' [vo] block # option. Default is '/etc/grid-security/certificates/'. x509_cert_dir="/etc/grid-security/certificates/" # generate_vomapfile yes/no - control is nordugridmap will generate # vo-mapfile used by arc-ur-logger. Default is 'yes' generate_vomapfile="yes" # vomapfile file - path to vo-mapfile location. # Default is '/etc/grid-security/grid-vo-mapfile' vomapfile="/etc/grid-security/grid-vo-mapfile" # log_to_file yes/no - control whether logging output of nordugridmap # will be saved to file. Default is 'no' (STDERR is used). log_to_file="yes" # logfile file - specify the log file location. # Default is '/var/log/arc/nordugridmap.log' logfile="/var/log/arc/nordugridmap.log" # cache_enable yes/no - control whether caching of external sources # will be used. Default is 'yes' cache_enable="yes" # cachedir path - path to store cached sources. # Default is '/var/spool/nordugrid/gridmapcache/' cachedir="/var/spool/nordugrid/gridmapcache/" # cachetime seconds - controls how many time cached information remains # valid. Default is 3 days (259200). cachetime="259200" # issuer_processing relaxed/strict - control the behavior of [vo] block # require_issuerdn parameter. See 'require_issuerdn' description for # details. Default is 'relaxed'. issuer_processing="relaxed" # mapuser_processing overwrite/keep - control the behavior of [vo] block # mapped_unixid usage. See 'mapped_unixid' description for details. # Default is 'keep' mapuser_processing="keep" # allow_empty_unixid yes/no - control whether empty (or unspecified) # 'mapped_unixid' [vo] block option is allowed to be used. # See 'mapped_unixid' description for details. Default is 'no' allow_empty_unixid="no" # voms_method soap/get - control how to get information from VOMS(S) # sources: # soap - call SOAP method directly using SOAP::Lite (default) # get - use old implementation that manually parses XML response voms_method="soap" # debug level - controls the verbosity of nordugridmap output. Valid # values are: # 0 - FATAL - only critical fatal error shown # 1 - ERROR - errors, including non-critical are shown # 2 - WARNING (default) - configuration errors that can be ignored # 3 - INFO - processing information # 4 - VERBOSE - a bit more processing information # 5 - DEBUG - lot of processing information # # When test run is requested (--test command line option of the # nordugridmap) debug level is automatically set to 'DEBUG' debug="4" # fetch_timeout seconds - control how many time nordugridmap will # wait for external sources retrieval. Default is 15 secconds. fetch_timeout="15" ## end of [nordugridmap] block # [vo] block is used to define VOs and generate mapfiles from users # lists maintained by VO databases. # [vo] blocks can also be used and referenced in authorization blocks # or in other [vo] blocks. [vo] # id blockid - specifies the unique block id (not required for processing) id="vo_1" # vo vo_name - specifies the VO name, this name can be used in other blocks # and in gacl expressions. MUST be given. vo="atlas" # file path - output gridmap-file where GENERATED mapping list will be # stored. See attributes below to specify how to generate this file. # # If the same file specified as output for different [vo] blocks, # nordugridmap will automatically merge enrties (in given blocks order) file="/etc/grid-security/VOs/atlas-users" # source url - the URL of the VO database which is assigned to this VO. # The nordugridmap will use this URL to automatically generate and keep # up-to-date userlist (mapfile) specified by the 'file' attribute. # # several sources can be specified for a [vo] block and all the user # records from those sources will be merged # # The source URLs are processed from top to bottom in the given order. # All already defined user's DN will be ignored. # # Currently supported URL types are: # http(s):// - URL to plain text file. File should contain a list # of DNs with optional issuer certificate authority DN # (see require_issuerdn): "user DN" ["issuer DN"] # voms(s):// - URL to VOMS-Admin interface # nordugrid - add NorduGrid VO members # ldap:// - expect LDAP-schema formatted VO Group # file:// - local file (stand-alone or dynamicaly generated by # nordugridmap). File should contain a list of DNs with # optional mapped unixid: "user DN" [mapped user ID] # Result of optional mapped unixid processing depend # on mapuser_processing option settings. # vo:// - reference to another [vo] configuration block # edg-mkgridmap:// # - local configuration file used by edg-mkgridmap tool. # nordugridmap will parse configuration from file and # process it as aditional [vo] block that will be refered # authomatically in place URL specified. This allow # easy migration from edg-mkgridmap solution without # rewriting your previous configuration (NOTE that rarely # used 'auth' directive and 'AUTO' mapping options are not # supported) # # You can use either vo:// or file:// entries to specify dependencies # between [vo] blocks, but using vo:// is a recommended way # # For each separate source URL it is possible to override some parameters # value. You can use the following syntax to perform this: # source="URL < parameter1=value1 parameter2=value2" # You can override the following parameters: # mapped_unixid for http(s),voms(s),ldap,file URLs # cache_enable for http(s),voms(s),ldap,file URLs # voms_method for voms(s) URLs # mapuser_processing for file URLs (If file already contain mapped_unixid # control weather overwrite it with supplied value. # Only applied if mapped_unixid overrided for URL. ) # source="vomss://lcg-voms.cern.ch:8443/voms/atlas?/atlas/Role=VO-Admin < mapped_unixid=atlasadmin" source="vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org" source="http://www.nordugrid.org/developers.dn" source="ldap://grid-vo.nikhef.nl/ou=lcg1,o=atlas,dc=eu-datagrid,dc=org" source="file:///etc/grid-security/priviliged_users.dn" source="vo://NorduGrid_Community" source="nordugrid" # mapped_unixid unixid - the local UNIXID which is used in the generated # grid-mapfile by the nordugridmap utility. # # if any of the sources have already provided mapping information (file:// # or vo://) behavior depends on 'mapuser_processing' nordugridmap conguration: # mapuser_processing = 'overwrite': ignore already provided mapping and # apply mapped_unixid for all sources # mapuser_processing = 'keep': apply mapped_unixid only for sources that # does not contain mapping information # # [vo] block can only have one UNIXID # if 'mapped_unixid' is not specified behavior depends on 'allow_empty_unixid' # nordugridmap conguration value: # allow_empty_unixid = 'yes': empty value will be used for mapped_unixid # which means that nordugridmap will generate only # the list of DNs without mapping (consider using # mapuser_processing='overwrite' or sources that # does not provide mapping information) # allow_empty_unixid = 'no': skip users without mapping information (no # mapping information provided by sources or/and # mapuser_processing='overwrite' is enabled) mapped_unixid="gridtest" # voms_fqan_map FQAN unixid - the local UNIXID which is used to map voms(s) # sources with specific FQAN given. # # Several voms_fqan_map can be specified for a [vo] block. # For each voms(s) sources in [vo] block and every voms_fqan_map record # separate source record will be authomatically generated with mapped_unixid # overrided to specified one. # # Sources are generated in given voms_fqan_map order. Original voms(s) source # URL are processed last after all FQANs. # # This allow to simplify configuration, especially in redundancy cases when # several VOMS servers are used for the same VO. # voms_fqan_map="/atlas/Role=VO-Admin atlasadmin" voms_fqan_map="/atlas/Role=production atlasprod" # require_issuerdn yes/no - another nordugridmap option. YES would map only # those DNs obtained from the urls which have the corresponding public CA # packages installed. Default is 'no'. # # Note, that some sources does not provide issuer information ( like # voms(s):// or file:// ). If this sources are used within [vo] block # and require_issuerdn is set to 'yes' behavior depends on issuer_processing # nordugridmap conguration: # issuer_processing = 'relaxed': check only those records that have issuer # information provided, allow other sources # issuer_processing = 'strict': if issuer information was not found record # is filtered and does not pass into mapfile # require_issuerdn="no" # filter ACL string - An ACL filter for the nordugridmap utility. # Multiple allow/deny statements are possible. The fetched DNs are filtered # against the specified rules before they are added to the generated mapfile. # # * can be used as a wildcard. You may run the nordugridmap with the --test # command line option to see how the filters you specified works. filter="deny *infn*" filter="allow *NorduGrid*" # another example of VO block [vo] id="vo_2" vo="NorduGrid_Community" file="/etc/grid-security/VOs/community.dn" source="http://www.nordugrid.org/community.dn" source="nordugrid" source="file:///etc/grid-security/priviliged_users.dn < mapped_unixid=privelegeduser mapuser_processing=overwrite" source="vomss://lcg-voms.cern.ch:8443/voms/atlas?/atlas/Role=VO-Admin < mapped_unixid=atlasadmin voms_method=soap" mapped_unixid="communityuser" require_issuerdn="no" filter="deny /O=Grid/O=NorduGrid/OU=bad.site/CN=Bad User" # one more example of VO block [vo] id="vo_3" vo="all_users" file="/etc/grid-security/grid-mapfile" source="vo://NorduGrid_Community" source="vo://atlas" source="file:///etc/grid-security/local-grid-mapfile.dn" mapped_unixid="grid" # FQAN-map use-case example [vo] id="vo_4" vo="moldyngrid" source="vomss://grid.org.ua/voms/moldyngrid" source="vomss://moldyngrid.org/voms/moldyngrid" voms_fqan_map="/moldyngrid/Role=VO-Admin .mdgadm" voms_fqan_map="/moldyngrid/Role=production .mdgprd" voms_fqan_map="/moldyngrid/md .mdgmd" mapped_unixid=".mdg" file="/etc/grid-security/VOs/moldyngrid"A